Daon provides identity assurance software for governments and enterprises, with a focus on mobile biometric authentication. In September 2012, the company was awarded a $1.8 million grant to explore how senior citizens could benefit from secure digital identity. Major goals were to test the willingness of users to accept the credentials and the willingness of relying parties to move to external identity providers.

“The pilot established a federated identity service around Daon’s Identity X strong credentialing platform that could be used by a variety of relying parties,” says Cathy Tilton, former vice president of Standards and Technology at Daon (since this interview, Tilton has moved to a position at CSC).

Team members included AARP and the American Association of Airport Executives. AARP members were able to access their health records using mobile biometric authentication. The pilot concluded in April 2015 and neither relying party has any active users. Both the AARP and AAAE are using the pilot experience to redefine future identity strategies.

Outcomes

Daon built out that federated identity, Trust X, and deployed it within several operational pilots. “We were researching mobile biometrics and privacy enhancing technology. That was very successful,” Tilton says. “We had real people using the system and we also looked into the privacy and security aspect of that.”

Lessons learned

“It works, with real agencies signing trustmark agreements with real transactions and trust decisions being made,” says Wandelt. “Getting the granularity and componentization right for reuse is important. Bridging strategies is important for adoption.

“With any new technology, on day one you need to figure a way to make it usable with the existing infrastructure and products that are deployed,” he explains. “We had to figure out how to use trustmark technology without requiring custom changes to existing products.”

Associated with each trustmark is a set of conformance criteria and assessment steps that must be satisfied prior to someone earning a trustmark, says Wandelt. “For example, in order to earn a particular privacy trustmark, you might have to demonstrate that you have implemented a privacy policy for minimizing the collection, use, and dissemination of user data,” he adds. “One of the challenges is that there is a lot of informal trust being leveraged among partners today, and formal policy documentation is weak or non-existent. So in order to be able to issue trustmarks, we often have to assist the trustmark recipients to get their house in order so they can legitimately earn them.”